February 2013

My Dad’s been working on family genealogy. One of my ancestors — George Darling, born 1615 in Midlothian — was sent to America by Cromwell. Dad writes:

The 3rd Civil War (1649-1651) pitted Scottish backers of Charles II against the English led by Oliver Cromwell. On September 3, 1650, Cromwell seized on an unexpected battlefield opportunity at Dunbar and destroyed the opposing Scottish Army taking an estimated 5,000 prisoners…

After being pronounced guilty at his “trial” in London, George was indentured to John Bex (Beax) and Company and sent to serve at the Lynn Ironworks in Lynn Massachusetts for an 8-year term of bondage…

One wonders, given his age in 1650, whether George didn’t leave an entire family back in Scotland? Did he have a wife and children in Midlothian? We’ll probably never know for sure, but we do know the families of the captured Scots never knew exactly what happened to them. They were not informed if their sons and husbands had been captured or died on the march back to London. They were never told whether their loved ones had been shipped an entire world away.

Anyway — if you’re a Scottish Darling, I can tell you what happened to George.

When Twitter was recently hacked, I was among those who got an email saying I was affected. So I changed my password.

But here’s what I’ve noticed: changing my password does not cause any of the Twitter clients on my iPhone to ask me again for authentication. They just keep working normally.

So here’s the scenario I worry about. I don’t know if this is accurate or not, or if it applies only to Twitter or is a more general OAuth issue.

Somebody gets my Twitter password.

They login using the same client I use, but on their iPhone. The client starts working.

I change my password.

They’re unaffected — that client continues to work on their iPhone, just as it does on mine.

Is this true?

If so, I don’t like it.

Update 5:50 pm

I should say what bothers me.

Yes, I can go into my Twitter settings and revoke access to any one or more apps. And: I’m a developer, and I’ve written OAuth client code — I’ve even written Twitter-specific code.

But here’s what normal people think: I’ll change my password and everything will be okay.

And I admit to having changed my password recently and been surprised that my Twitter client kept working, even though I should have known that it would keep working (had I thought about it).

Here’s the first paragraph of that email Twitter sent to a bunch of folks a couple weeks ago:

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.

Which would lead a normal person to believe that resetting your password would prevent other people from accessing your account in any way. But it’s not true, not if they’ve already accessed your account.

That email also says, near the end:

Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don’t recognize, click the Revoke Access button.

That’s good advice. However, if somebody else is using the very same client I use, or a client I used previously, I won’t see any apps I don’t recognize. (It could be a long list of apps, all recognized.)

I understand that OAuth is a security win in some ways. But implementors should, I think, be mindful of what normal people expect — which is that changing your password locks out every app until you re-authenticate.

Here’s the thing: a bunch of RSS readers rely on Google Reader for syncing — but Google Reader is not a syncing service, and its APIs are undocumented and unsupported.

TechCrunch describes Google Reader as “benignly abandoned” — which, for native RSS readers that use it, is worse than actual abandonment, because broken syncing is worse than no syncing.

My friend Jake asks if Google could spin off Reader. My guess: it’s not worth their time to pursue. What they’d get for it isn’t worth the time to consider it. (And that’s before you factor in the difficulty of transferring it.)

Google has learned to focus, and they’re doing some great work. (I especially like Google Maps for iOS.)

Part of learning to focus is learning how to shut things down. Google has done well at that — but I’m surprised that Google Reader hasn’t been shut down yet. Better a clean shut-down than an ungraceful end.

Back in the ’70s and ’80s I was obsessed with hi-fi systems. In those days there were lots of all-in-one systems: tuner, amp, turntable, cassette deck, and speakers. (Sometimes the speakers were detachable.)

But those were the crappy, cut-rate systems. A real audiophile would buy separate components — the best components they could afford — and create their own system.

What I like about this mix is that we could swap out any part of it — GitHub instead of Bitbucket, for instance, if we liked it better. Just like buying a better tuner.

* * *

Note one thing not on the list: nothing real-time. No chat, no irc, no Skype.

If you’re a larger company like Omni or Black Pixel, a full-time chat room might make sense. But for groups of two or three people, when is everybody in front of their computer and in a state where they could be interrupted? Not that often.

Also not on the list: shared calendar. That may need to change, at least for some of the projects. I find shared calendars a pain. (I have a hell of a time figuring out how to make Google calendars work, at least.)

Yesterday was my last day at Sepia Labs. We had a great team and I loved working on Glassboard — and I remain a Glassboard user. I rely on it, even.

And even though I’ve left, I trust the team to continue to do the right things. Everybody at Sepia Labs shares the same vision. (Privacy. No ads. Nothing creepy.)

But it was time for me to return to my natural habitat as an indie developer.

I feel like the not-quite-domesticated dog who’s been given to live on a farm. Tell the kids I’ll be happier there — tell ’em how I’ll chase rabbits and sleep in the sun and run off into the woods whenever I want.

* * *

I’m working on cool new things. It’s too early to talk about the things — but I can talk about my goals. I have two:

Make great software on my own.

Make great software with other people.

The first goal is a given — the second one is interesting.

I’ll turn 45 in a couple months. I realized that the next 10 years of my career will be the highlight: partly because the app world has matured so much, and partly because I’ll be at my personal best. (And maybe it’s really the next 15 or 20 years.)

I’d hate to look back and regret not getting to work with talented people. There are so many, and I’ve found that I love working with other people.